Web YOUR DOMAIN NAME

CISSP Study Guide

This Blog is dedicated to help Serious IT Security Practitioners to pass the renowned CISSP exam. It is a must read for those going for the exam and needs total recall

Wednesday, March 01, 2006

CISSP - ACCESS CONTROL SYSTEMS & METHOLOGY

ACCESS CONTROL SYSTEMS & METHOLOGY

ACCESSS CONTROL

Protects data from unauthorized access
Confidentiality - no unauthorized reads
Integrity - no unauthrized writes

Subject

  • An entity that requests access to data(active) Object

Object

  • An entity that contains or controls data(passive)


Least Privilege

Grant subjects enough access to perform required tasks
Goal is to minimise accidental authorization


Accountability

Log subject's access to everything
Ensure subject adhere to security policy
Prevent unauthorized behaviour

Physical Access
Controls (safeguard to protect object from threat)
3 types of object controls:
physical access controls
logical access controls
administrative access controls

Physical access controls

Controls that limit physical access to objects
Examples :
Perimeter security
Fences
Walls
Limited access doors /rooms
Locked doors

Cable Security
Shielding from interferences and emanations
Cabling media choice (fiber optic)
Conduit or other physical protection

Segregation of duties
Minimize "shoulder surfing"
Keeps a single person from completing a sensitive process

Administrative Access
Policies & Procedures
Security awareness training
Hiring practices
Monitoring

Logical Access
Technical controls
Object access restrictions
only allow access by authorized users

Encryption
Only allow authorized users to read data

Network architecture / segregation

Technical Controls
  • Object access restrictions
    • Only allow access by authorized users

Encryption

Only allowed authorized users to read data


Network architecture segregation

Use architecture to keep network segments separate




0 Comments:

Post a Comment

<< Home